POL00104896
POL00104896
Royal Mail
Ld
Royal Mail Internal Information
Criminal Investigation Team
7.8 Recovering Computers, Mobile
Phones & Digital Storage Devices
for Evidential Purposes
Version 1.0 Final
27% January 2011
Review Date: 27%? January 2013
Ray Pratt
Head of Investigations Policy & Standards
Royal Mail Security
Mobex cv .Rhln
Mobile I GRO
POL00104896
POL00104896
Contents
Key Accountabilities 3
1. Introduction 4
2. Digital Storage Devices 4
3 Recovering Desktop & Laptop Computers 5
4. Recovering Mobile Phones and Other Digital Storage 7
Devices
5. General 8
Change Control 9
Glossary 10
1 Mail 2011 ~ Ree dential Purposes (7.8)- RM V1.0 ~ Page 2 of 12
© Royal Mail 2011 Recovering
Key Accountabilities
POL00104896
POL00104896
Who is
accountable?
What do I have to IWhen do I have
do?
to do this?
How do I do
this?
All members
of Royal Mail
Security
Ensure you comply I Ongoing
with the
procedures
As detailed
within these
procedures
POL00104896
POL00104896
Recovering Computers, Mobile Phones & Digital Storage Devices
for Evidential Purposes
1.
1.
1.3
Introduction
Vital evidence and intelligence can be obtained from computers, mobile
phones and other digital storage devices. In order to maximise the
value of such evidence and intelligence, Investigators must be aware of
the correct procedures to be adopted when recovering such computers &
devices. Following these procedures will ensure that any evidence
obtained is admissible in Court.
The Association of Chief Police Officers (ACPO) Good Practice Guide for
Computer Based Electronic Evidence outlines four principles when
dealing with this type of evidence;
Principle I No action taken by Investigators should change the
1 data, held on a computer or electronic storage media,
which may subsequently be relied upon as evidence in
court.
Principle I Only competent persons should access any original data
2 held on a computer or on electronic storage media and
that person must be able to give evidence explaining
the relevance and the implications of their actions.
Principle I An audit trail or other record of all processes applied
3 to computer-based electronic evidence should be created
and preserved. An independent third party should be
able to examine those processes and achieve the same
result.
Principle I The Investigator in the Case has overall responsibility
4 for ensuring that the law and these principles are
adhered to.
The Digital Forensics Team (DFT), Royal Mail Security have a full
understanding of the obligations imposed in satisfying these 4 principles.
The DFT is responsible for the examination and extraction of data from
computers and digital storage devices. (Full contact details for the DFT are
in section 5 below).
2. Digital Storage Devices
2.1
There are many types of digital storage device that may be encountered whilst
searches are being conducted. These not only include computers and mobile
phones they also included such items as;
External Hard Memory Cards
Drives (Available in
(These give many sizes)
computers extra
data storage
capacity)
USB Sticks
(Any item which
has a USB
connector is
potentially a
data storage
device)
CDs/DVDs
le Phones & Digital Storage Devices for Evidential Purposes (7.8)- RM VL.-
Pa of 12
2.2
3.2
3.3
3.4
3.5
POL00104896
POL00104896
All in one
computers
(This is where
the digital
storage device
(hard drive) is
contained wit
Electronic
Entertainment
Devices (MP3
Players iPods and
ipads Kindle
digital book
readers etc)
the monitor or
screen)
3G Dongle
(Looks like a USB
flash drive but
contains a small
slot where a
card fits)
Digital Cameras
The extent of search and seizure will be dependant on the type of
offence being investigated and the evidence or intelligence available.
Investigators are encouraged to consider what it is they are
investigating, what evidence they are seeking and where that evidence
is likely to be found. Investigators must ensure that their actions are
justifiable and proportionate.
If items are to be recovered from businesses advice, at an early stage,
should be sought from the DFT.
Recovering Desktop and Laptop Computers
Initial action on recovering Desktop or Laptop PCs. The initial action
on discovering a PC which is to be recovered for evidential purposes is
as follows;
3.1.1 Ensure that suspects or other persons are unable to tamper with
the PC.
If printing allow the printing to finish.
If it is deemed necessary photograph or video the scene or
consider drawing a sketch plan.
3.1.2
3.1.3
The subsequent action depends on whether the PC is on (see paragraph
3.3) or off (see paragraph 3.5).
Recovering Desktop and Laptops PCs which are switched off. The
following further actions should be carried out if the PC is switched
off;
3.3.1 Do not switch on the PC. (Make sure that the computer is
switched off - some screen savers may give the appearance that the
computer is switched off, but hard drive and monitor activity
lights may indicate that the machine is switched on. If it is
thought that the PC may be on then treat as in section 3.5 below).
3.3.2 Be aware that some Laptops may power on by opening the lid, if
the lid is closed do not open.
3.3.3 Unplug the power and other devices from sockets on the computer
itself (i.e. not the wall socket)
Investigators should complete the process as described in paragraph 3.7
below.
Recovery of Desktop and Laptop PCs which are switched on. The
following process should be undertaken if the PC is switched on;
3.5.1 If relevant, record what is on the screen by photograph or
video, (if camera is available) and by making a written note.
3.5.2 Do not touch the keyboard or click the mouse. If the screen is
blank or a screen saver is present, the Investigator should decide
if they wish to restore the screen. If so, a short movement of the
ters, Mobile Phones & Digital Storage Devices for Evidential Purposes (7.8)- RM V1.-
Page 5 of 12
3.6
3.7
Ma
POL00104896
POL00104896
mouse should restore the screen or reveal that the screen saver is
password protected.
a) If the screen restores and it is relevant, photograph or video
it, (if camera is available) and note its content.
b) If password protection is shown advice can be obtained from the
owner/user as long the information is treated with caution. If
the screen restores carry on as in a) above.
3.5.3Record the time and activity undertaken in respect of the screen.
3.5.4Shut down the computer by removing the power socket from the
computer end.
3.5.5 Note the time the computer was switched off.
Investigators should then complete the process as described in
paragraph 3.7 below.
Completing the Recovery Process.
3.7.1 If the PC is a Laptop then the battery should be removed. (The
power lead should be recovered).
3.7.2 Recover all the items which may contain data such as external
hard drives, USB sticks, DVDs etc. (If items containing data are
attached to the computer by leads then recover the leads). There is
no need to recover standard keyboards and the mouse unless required
for forensic analysis (e.g. fingerprints).
3.7.3 Search the area for diaries, notebooks or pieces of paper with
passwords on them, which are often attached or close to the
computer.
3.7.4 Ensure that all items have signed completed exhibit labels
attached to them to ensure continuity.
3.7.5 Ask the computer user for Passwords, PINs, User IDs and any
encryption keys. It is also advisable to recover operation manuals
if these are available.
3.7.6 Printers need only be recovered if required for forensic
comparisons with printed documents.
3.7.7. Investigators must ensure that they record accurately all the
actions taken or information obtained in relation to the recovery
of the computer equipment.
Below is a process map which may be of use as an aide memoir. (Word
copy associated for ease of reproduction).
Process for Recovering Computers for Evidential Purposes
2011 Recoveri
le Phones & Digital Storage Devices for Evidential Purposes (7.8)- RM VL.-
Page 6 of 12
POL00104896
POL00104896
Ensure that no one touches or
interferes with the the PC.
v
{f printing allow to finish.
Photograph or sketch scene and components.
induding the leads in situ,
‘No————>I_ Do not switch the PC on.
Yes
Isthe screen on?
Yes
Hf relevant record what is on
the screen by photograph or
video & written note.
No
No
No
Screen restored?
(Gee note 1).
No
y
Screen is password protected.
y
Remove the power lead by disconnecting it }¢~
Ral 8
at the computer end ¬e time. Ig __
If PCis a Laptop remove the battery.
Recover any items or storage devices which
may contain data.
¥v Ensure that all items have signed
Search the area for passwords ete. (See and completed exhibit labels and
note 1). [>> that accurate records details all the
actions taken,
i]
Process Map The
Recovery of Compute
4. Recovering Mobile Phones & Other Digital Storage Devices
4.1
Ma
POL00104896
POL00104896
If Investigators are going to seize such devices they must not examine
any data on the device themselves. If they do they may be unnecessarily
the changing data recorded on the device in breach of principle 1,
(paragraph 1.2)
Interception of Communications. In addition to changing potential data
Investigators should also be aware that there are Interception of
Communication issues when examining devices used to access messages
which are stored on electronic networks. These issues are understood by
the DFT.
Isolate from Mobile Network. When recovering such devices the main
point to consider is that they should be isolated from any “network” in
order that the data on the device is not changed by receiving messages
from the network (in accordance with Principle 1 at paragraph 1.2 above
). The best way to do this is to switch the device off. Of course,
like with computers, if there is any data on the screen which is
relevant then this should be recorded preferably by photograph or
video, or if not by making a note. It is also important to note the
time that the device was switched off and how it was switched off.
Unable to switch off. Some devices such as iPhones cannot be switched
off and as such they cannot be isolated from the network. If this is
the case then the time that the item was recovered must be noted. In
these circumstances specialist advice from the DFT should be obtained
as soon as practicable.
If any devices are seized the Investigator must ask for any passwords
or PIN access numbers. Investigators should also recover power leads or
other equipment such as “cradles” if they are needed to charge the
device. Instruction books should also be recovered. Devices should be
placed in a sealed envelope then placed in a sealed exhibit bag, which
should be signed and completed to ensure continuity. Placing the device
in a sealed envelope will help prevent it being switched on
accidentally or deliberately by persons unauthorised to do so.
Below is a process map which may be of use as an aide memoiz. (Word copy
associated for ease of reproduction)
2011 Recoveri
le Phones & Digital Storage Devices for Evidential Purposes (7.8)- RM VL.-
Page 8 of 12
POL00104896
POL00104896
Process for Recovering Mobile Phones and Digital Storage Devices
Ensure that no one interferes
with the device.
Do not switch the
lo} Ps
Is the device on? Ni pitts
Yes
v
If relevant record what is on
the screen by photograph or
video & written note.
‘Yes->I Turn off the device.
I
Seek advice from the DFT as phe to usd sao Le!
soon as practicable. neg lle a
¥
Ensure the user is asked
for any Passwords and
PINs.
Ensure that all items have signed and
completed exhibit labels and that
accurate records detail all the actions
taken.
iw]
Process Map The
Recovery of Mobile PI
5. General
5.1
Magnetic Fields. Seized computers and digital storage devices should be
handled with care at all times. Magneti
such contact with them should be avoided.
fields can interfere with data and as
Prior to the submission of a computer, mobile phone or digital storage device
to the Digital Forensics Team the Investigator must complete a Digital
Forensics Team Submission form GS308. Investigators should give details of the
matter under investigation and the type of evidence or gence that they
seek.
Computers, mobile phones and other digital storage devices should be
transferred to the Digital Forensics Team by hand. Contact details for the
team are below;
Address Name Telephone
Digital Forensics ;
Team Jo Dixon
Royal Mail Security -
Floor 2A Battersea I David R
sDO Brassington
202 Lavender Hill John Giddens
2011 Rec
POL00104896
POL00104896
LONDON
sW1ll 1AA
for Eviden’
ial Purposes
(7.8)- RM vie
POL00104896
POL00104896
Change Control
Final
1.0
Ray Pratt
Michael F Matthews
27° January 2011
Internal
Authorisation
Ti Name ts
Security Ray Pratt January 2011
Distribution List
All Royal Mail Security via V1 27 Jan 2011
Security Sharepoint
Documentation History
I 27/01/11
Document Change History
v1 Document Produced
Glossary
3 for Evidential Pur
POL00104896
POL00104896
DFT Digital Forensics Team
Document Summary
If you have any queries please contact:
Digital Forensics Team
Royal Mail Security
oor 2A Battersea SDO
202 Lavender Hill
LONDON
sWil 1AA
Postline:
STD:
Fax: